Communications:
We will use piazza to communicate with you. You are welcome to use Piazza to set up study groups, to post interesting security incidents you read about (please tag these as "interesting incident in the news"), or to discuss the course with other students. If you have a question about the course you should: (a) Come to office hours, OR (b) Post to Piazza. Questions posted to Piazza will be answered by the course staff on Friday, Sunday, and Monday, and on a best-effort basis throughout the rest of the week.

If you need to talk to the course staff in private, you can send us a private message on Piazza to let us know that you want to have a private conversation during office hours. Then show up at office hours to discuss your issue. You should not expect a response; instead assume we have read your message and you should then just show up at office hours. If you want to talk to one of us in person but absolutely can't make office hours, please send the relevant person an email with at least three different options for when you are available to meet.

Ethics

To defend a system you need to be able to think like an attacker, and that includes understanding techniques that can be used to compromise security. However, using those techniques in the real world may violate the law or the university's rules, and it may be unethical. Under some circumstances, even probing for weaknesses may result in severe penalties, up to and including expulsion, civil fines, and jail time. Our policy is that you must respect the privacy and property rights of others at all times, or else you will fail the course.

Acting lawfully and ethically is your responsibility. Carefully read the Computer Fraud and Abuse Act (CFAA), a federal statute that broadly criminalizes computer intrusion. This is one of several laws that govern ``hacking." Understand what this law prohibits.

The order of encryption and authentication, and the fact that encypt-then-MAC is both a good secure channel implementation, and a CCA-secure symmetric encryption scheme.

The basics of AES.

Assigned reading: Sections 5-5.2.2, 5.3.2-5.3.3 of Anderson's book Background reading: The Battle of the Clipper Chip New York Times, June 12, 1994. Reference in Katz and Lindell: I was asked to give references to the material we covered in class to the Katz and Lindell book. Katz and Lindell go into MUCH more detail than we cover in this class, so I provide this info for reference: Section 1.2 (encryption), Section 1.4 (useful background), Section 2.1-2.3 (One Time Pad), Section 3.2-3.21 (more on encryption), Section 3.5 (CPA security) Section 3.7 (CCA security) Section 4-4.3 (MACs)
Hashing (Jan 30 - Feb 6)

Merkle Damgard construction for hash function.

Properties of cryptographic hash functions. Properties: Collision resistance. One-way functions (OWF). Currently we use SHA-256, SHA-3 to instantiate cryptographic hash functions. In the past we used MD5 (broken:collisions found) and SHA1 (cryptanalytic evidence suggest this will be broken soon, and is deprecated).

PRFs and HMAC. These are keyed hash functions. We model these as indistinguishable from random functions for an adversary that does not know the key.

Hash proofs of work. (Used in bitcoin! This specific scheme we talk about in class (ie. to find a nonce n such that H(n,message)=00000000000........ was devised as part of hashcash)

The birthday paradox and the difference between collision resistance and target-collision resistance (or one-wayness) for random functions. OR: Why does SHA-256 provide only 128-bits of security against collision attacks.

Reference in Anderson: Sections 5.2.4, 5.3.1 of Anderson's book Reference in Katz and Lindell: I was asked to give references to the material we covered in class to the Katz and Lindell book. Katz and Lindell go into MUCH more detail than we cover in this class, so I provide this info for reference: Section 3.6.1 (PRFs) Section 4.6 (Collision resistant hash functions) Section 4.7.2 (HMAC - just construction 4.17) Section 6.1.1 (one-way-functions) Appenix A.4 (the birthday paradox)
Public Key Cryptography: Digital Signatures, Encryption, And Key Exchange. (Feb 11-Feb 18)

PK Encryption

Digital Signatures

The basics of RSA encryption and RSA signatures. Why textbook RSA is not actually a secure encryption or digital signature. Why we need encryption standards like PKCS 1.5 and OEAP.

The hash-and-sign paradigm for digital signatures.

Key exchange protocols:

The basics TLS handshake (i.e the key exchange protocol). See here. The gory details are here.

Diffie Helman Key Exchange and Perfect Forward Secrecy (PFS). This article has a nice explanation, and talks about how SSL is moving towards using DH Key exchange, instead of the encryption-based protocol described above.

Why classic Diffie Helman is not secure against a ``active'' man-in-the-middle adversary that tampers/alters the messages sent between Alice and Bob.

Key exchange protocols that are based on Diffie Helman and are secure against active adversaries.
My source for this is Hugo Krawcyzk's excellent slides on SIGMa protocols.
These protocols are used for IKE (internet key exchange) for IPsec.

Readings in Anderson: Section 5.2.5 (Asymmetric primitives) Sections 5.7.1 (RSA) 5.7.2.2 (Diffie Helman Key Exchange), 5.7.5 (Certificates) of Anderson's book Reference in Katz and Lindell: I was asked to give references to the material we covered in class to the Katz and Lindell book. Katz and Lindell go into MUCH more detail than we cover in this class, so I provide this info for reference: Section 9.4 (Diffie Helman Key Exchange) 10-10.2.1 (public key encryption) 10.4-10.4.2 (RSA encryption [This section is a particularly good reference]).
12-12.4 (Signatures)
Public Key Infrastructure (PKI) and Certificates (Feb 20-Feb 25)

Public Key Infrastructure and the web PKI. The principle of least privilege. Certificate Authorities (CAs). The difference between CA certificates and EE certificates. Attacks on CAs and probles with the web's PKI.

For instructions on how look at the preinstalled certificates on your browser, see here

These slides from CS155 at Stanford provide an overview of the basic web security model.

These slides from CS155 at Stanford provide an overview of web vulnerabilities.

Required readings: Please read the Friedl techtip on SQL injection that was discussed in class, and this excellent article on Secure Session Management With Cookies for Web
Applications. You should also review the sides above to understand XSS and CSRF.
Optional readings: Here is a reference on CSRF.
TCP/IP and its security (March 27-April 3)

My slides will be posted on Piazza.

We played with traceroute during lecture. If you have never done this before, log into csa2 and run the command traceroute example.com and see what happens; (obviously replacing example.com with whatever destination you like). How many hops does it take to get to a destination in India? A destination in the US? A destination in Singapore? A destination in South Africa?

You can run you own DNS queries by logging into csa2.bu.edu and running dig +trace example.com, obviously replacing example.com with whatever domain you want to look at. Dig can let you look at pretty much anything in the DNS; type man dig on csa2 to see some options, or find a dig tutorial online. If you want to look at DNSSEC deployments using dig, this tutorial is a good place to start.